Data breaches have become so common at this point that the mere fact that a government agency such as the South Carolina Department of Revenue loses several million Social Security numbers and credit card numbers isn’t really that noteworthy. It’s another day in the life of the Internet. But what is remarkable is that there are organizations out there that are not deploying encryption technologies to protect personally identifiable information because it’s complicated. Really?
That’s an interesting term, complicated. It can be used in a number of different ways and have several meanings depending upon the context. The classical usage is as a synonym for complex, as in difficult to understand or unwind. And perhaps that’s what Nikki Haley, governor of South Carolina, meant when she said in a press conference earlier this week that the SSNs of millions of South Carolina residents weren’t encrypted at the time they were stolen because it’s “very complicated”.
Encryption is complicated. No argument there. It’s complicated enough that the smartest cryptographers in the world sometimes make mistakes and get things wrong. And people implementing cryptographic algorithms in various software packages make mistakes all the time and attackers find ways to circumvent the complicated encryption and get the data they’re after anyway.
But there’s another popular usage for complicated, as well, and that’s the “it’s complicated”, Facebook-esque deployment of the term. This means, in effect, there are a lot of things involved here, lots of moving parts and it’s too complex to explain right now. This, I think, is what Haley meant when she made that fateful comment. Responding to a reporter’s question, Haley said that many banks and government agencies don’t encrypt Social Security numbers and the reason is that it’s “very complicated, it’s cumbersome and there’s a lot of numbers involved with it.”
The decision on whether to encrypt stored SSNs is not something that typically lands on the desk of a governor. Decisions about which technology to buy are made much farther down the food chain and there are probably a number of factors that go into it, including the difficulty of deploying an encryption solution, the perceived threat to citizens if their data was stolen, and, of course, money. Database encryption solutions aren’t free and they take time to implement. But it’s highly unlikely that anyone on the security team at the Department of Revenue recommended storing millions of SSNs in plaintext because the alternative–deploying an encryption package–was too complicated.
More likely, someone looked at his budget, looked at the price of the database encryption package, and made a hard choice. Lots of businesses, government agencies, non-profits and other organizations face the same choice every year and some of them decide that the cost of the encryption outweighs the potential benefit. And that can work out fine. That is, until something like the South Carolina data breach happens. Then things tend to be not fine.
One could argue that Social Security numbers should not even be considered PII at this point, given that they’re used as account numbers and other identifiers by some companies and that they’re fairly easy to get your hands on if you’re of a mind. But that’s a discussion for another day. The point here is that yes, encryption is complicated and it does involve a lot of numbers, some of which have dollar signs in front of them. But the technology is sufficiently advanced at this point that it doesn’t have to be a nightmarish undertaking.
Even a well-designed and well-implemented encryption system isn’t going to do you much good, though, if an attacker is able to get his hands on a valid set of credentials, as was the case in the South Carolina breach. In her press conference, Haley said that the attacker’s method for compromising the state’s database were “unbelievably creative”. Stealing user credentials is about as uncreative and pedestrian as attacks get. It’s probably number one on the attacker’s list of methods for getting in, or perhaps number two behind someone just handing her username and password across the table during dinner.
Encryption may be complicated and it may also be “complicated” and it’s not going to solve all of your problems, but it’s almost certainly better than standing in front of a group of reporters or customers explaining why all that data just up and walked out the door.